As others have noted, PHP's session handler is blocking. When one of your scripts calls session_start(), any other script that also calls session_start() with the same session ID will sleep until the first script closes the session.

A common workaround to this is call session_start() and session_write_close() each time you want to update the session.

The problem with this, is that each time you call session_start(), PHP prints a duplicate copy of the session cookie to the HTTP response header. Do this enough times (as you might do in a long-running script), and the response header can get so large that it causes web servers & browsers to crash or reject your response as malformed.

This error has been reported to PHP HQ, but they've marked it "Won't fix" because they say you're not supposed to open and close the session during a single script like this. https://bugs.php.net/bug.php?id=31455

As a workaround, I've written a function that uses headers_list() and header_remove() to clear out the duplicate cookies. It's interesting to note that even on requests when PHP sends duplicate session cookies, headers_list() still only lists one copy of the session cookie. Nonetheless, calling header_remove() removes all the duplicate copies.

<?php/** * Every time you call session_start(), PHP adds another * identical session cookie to the response header. Do this * enough times, and your response header becomes big enough * to choke the web server. * * This method clears out the duplicate session cookies. You can * call it after each time you've called session_start(), or call it * just before you send your headers. */function clear_duplicate_cookies() {// If headers have already been sent, there's nothing we can doif (headers_sent()) { return; }

With all this stuff we will get an error, something like:"... Cannot send session cache limiter - headers already sent (output started at ...", right?

To solve this problem we have to ignore all output sent by include files. To ensure that we need to use the couple of functions: *ob_start()* and *ob_end_clean()* to suppress the output. So, all we have to do is changing the *page.php* to this:

It seems that `session_start()` can return `true` even if the session was not properly created. In my case, the disk storage was full and so the session data could not be written to disk. I had some logic that resulted in an infinite loop when the session was not written to disk.

If you open a popup window (please no commercial ones!) with javascript window.open it might happen IE blocks the session cookie.A simple fix for that is opening the new window with the session ID in a GET value. Note I don't use SID for this, because it will not allways be available.

Unfortunately, after pulling my hair out trying to figure out why my application was working fine in every browser other than IE ( Internet Explorer) (Opera, Chrome, Firefox, Safari are what I've tested this in) - when using a DNS CNAME record (like a vanity name that is different from the DNS A record, which is the hostname of the server) sessions do not work correctly.

If you store a session var while on the CNAME:
vanity.example.com and the hostname of the server is hosname.example.com
Then try to call the variable from a different page, it will not find it because of the CNAME (I guess it store the variable under the hostname, then when trying to read it it's still looking under the CNAME) the same application works fine when accessing it under the hostname directly. Keep in mind that I was testing this on an internal network.

When you have an import script that takes long to execute, the browser seem to lock up and you cannot access the website anymore. this is because a request is reading and locking the session file to prevent corruption.

you can either
- use a different session handler with session_set_save_handler()
- use session_write_close() in the import script as soon you don't need session anymore (best moment is just before the long during part takes place), you can session_start when ever you want and as many times you like if your import script requires session variables changed.

// It is VERY important to include a Period if using// a whole domain. (.yourdomain.com)// It is VERY important to set the root path your session will always// operate in... (/members) will ensure sessions will NOT be interfered// with a session with a path of say (/admin) ... so you can log in// as /admin and as /members... NEVER do unset($_SESSION)// $_SESSION=array(); is preferred, session_unset(); session_destroy();

// To be safe, clear out your $_SESSION array// Next, what most people do NOT do is delete the session cookie!// It is easy to delete a cookie by expiring it long before the current time.// The ONLY WAY to delete a cookie, is to make sure ALL parameters match the// cookie to be deleted...which is easy to get those params with // session_get_cookie_params()...// FInally, use session_unset(); and session_destroy(); in this order to ensure// Chrome, IE, Firefox and others, are properly destroying the session.$_SESSION = array();if (ini_get('session.use_cookies')){$p = session_get_cookie_params();setcookie(session_name(), '', time() - 31536000, $p['path'], $p['domain'], $p['secure'], $p['httponly']); }session_unset();session_destroy();

// AJAX and SESSIONS.// Example... you start a session based PHP page, which then calls an Ajax (XMLHTTP) authenticated// using the SAME SESSION to Poll and output the data, for example. But, you notice when you// try to start the Polling AJAX call always HANGS and seems to hang at the session_start().// This is because the session is opened in the first page, calls the AJAX polling example, and// tries to open the same session (for authentication) and do the AJAX call, you MUST call// session_write_close(); meaning you are done writing to the $_SESSION variable, which really// represents a file that must be CLOSED with session_write_close();....// THAN you can call your AJAX Polling code to reopen the same session and do its polling...// Normally, the $_SESSION is closed automatically when the script is closed or finished executing// So, if you need to keep a PHP page running after opening a SESSION, simply close it when finished// writing to $_SESSION so the AJAX polling page can authenticate and use the same session in a// seperate web page...

PHP locks the session file until it is closed. If you have 2 scripts using the same session (i.e. from the same user) then the 2nd script will not finish its call to session_start() until the first script finishes execution.

If you have scripts that run for more than a second and users may be making more than 1 request at a time then it is worth calling session_write_close() as soon as you've finished writing session data.

<?php// a lock is places on the session, so other scripts will have to waitsession_start();

// do all your writing to $_SESSION$_SESSION['a'] = 1;

// $_SESSION can still be read, but writing will not update the session.// the lock is removed and other scripts can now read the sessionsession_write_close();

If you are using a custom session handler via session_set_save_handler() then calling session_start() in PHP 7.1 you might see an error like this:session_start(): Failed to read session data: user (path: /var/lib/php/session) in ...

As of this writing, it seems to be happening in PHP 7.1, and things look OK in PHP7.0.

It is also hard to track down because if a session already exists for this id (maybe created by an earlier version of PHP), it will not trigger this issue because the $session_data will not be null.

The fix is simple... you just need to check for 'null' during your read function:

<?php

function read($id){//... pull the data out of the DB, off the disk, memcache, etc$session_data = getSessionDataFromSomewhere($id);

//check to see if $session_data is null before returning (CRITICAL)if(is_null($session_data)) {$session_data = ''; //use empty string instead of null!}

A session created with session_start will only be available to pages within the directory tree of the page that first created it.

i.e. If the page that first creates the session is /dir1/dir2/index.php and the user then goes to any page above dir2 (e.g. /dir1/index.php), session_start will create a new session rather than use the existing one.

If you ever need to open multiple distinct sessions in the same script and still let PHP generate session ids for you, here is a simple function I came up with (PHP default session handler is assumed):

if (session_id() != '') { // if a session is currently opened, close itsession_write_close(); }session_name($name); if (isset($_COOKIE[$name])) { // if a specific session already exists, merge with $created_sessions$created_sessions[$name] = $_COOKIE[$name]; } if (isset($created_sessions[$name])) { // if existing session, impersonate itsession_id($created_sessions[$name]);session_start(); } else { // create new sessionsession_start();$_SESSION = array(); // empty content before duplicating session file // duplicate last session file with new id and current $_SESSION content // If this is the first created session, there is nothing to duplicate from and passing true as argument will take care of "creating" only one session filesession_regenerate_id(empty($created_sessions));$created_sessions[$name] = session_id(); }}

When using this function, session_start() should not be called on its own anymore (can be replaced with a call to session_switch() without argument).Also remember that session_start() sets a Set-Cookie HTTP header on each call, so if you echo in-between sessions, wrap with ouput buffering.

Note: it's probably rarely a good idea to handle multiple sessions so think again if you think you have a good use for it.Personally it played its role for some quick patching of legacy code I had to maintain.

A note about session_start(), custom handlers and database foreign key constraints, which I think may be of some use...

We know that if we want our sessions into a database table (rather than the default storage), we can refer to session_set_save_handler(...) to get them there. Note that session_set_save_handler must (obviously) be called before session_start(), but let me get to the point...

Upon calling session_start() the "first time", when the session does not already exist, php will spawn a new session but will not call the write handler until script execution finishes.

Thus, the session at this point exists in the server process memory, but won't be visible as a row in the DB before the script ends.

This seems reasonable, because this avoids some unnecessary database access and resource usage before we even populate our session with meaningfull and definitive data, but this also has side-effects.

In my case, the script called session_start() to make sure a session was initiated, then used session_id() to populate another table in the DB, which had foreign_key constraint to the "sessions" table. This failed because no session was in the db at that point, yet!

I know I could simply force the creation of the row in the DB by manually calling the write handler after session_start(), when necessary, but I am not sure if this is the best possible approach.

As soon as I find an "elegant" solution, or a completely different approach, I will post some working sample code.

I was getting an error because of the BOM, although i set Dreamweaver to "save as" the without the BOM. It appears that DW will not change this setting in already existing files. After creating a new file withou the BOM, everything worked well.

I need, with easy, count how many times the page reload over the site, may to add a warning popup, while the counter is 0 ...session_start();if(isset($_SESSION['count'])){$count = $_SESSION['count'];$count++; $count = $_SESSION['count'] = $count;} else { $count = $_SESSION['count'] = 0;}echo $count;

Initiating a session may overwrite your own custom cache control header, which may break clicking back to get back to a prior post request (on Chrome at least).On my system it was setting 'no-store', which is much more severe than 'no-cache' and what was breaking the back-button.

If you are controlling your own cache headers carefully you need to call:session_cache_limiter('');

The problem with SID is that if on occasions you don't start a session, instead of outputting an empty string for transparent integration it will return the regular undefined constant notice. So you might want to test the constant with defined() beforehand.

I am trying to get a session created by a browser call to be used by a command line cli->curl php call (in this case, both calls to the same server and php.ini), for a set of flexible media import routines,

but the cli->curl call always starts a new session despite me putting PHPSESSID=validID as the first parameter for the url called by curl.

I was able to fix it by calling session_id($_GET['PHPSESSID']) before calling session_start() in the script called via curl.

James at skinsupport dot com raises a good point (warning) about additional requests from the browser. The request for favicon.ico, depending on how it is handled, can have unintended results on your sessions.

For example, suppose you have ErrorDocument 404 /signin.php, no favicon.ico file and all pages in your site where the user signs in are also redirected to /signin.php if they're not already signed in.

If signin.php does any clean up or reassigning of session_id (as all good signin.php pages should) then the additional request from the browser for favicon.ico could potentially corrupt the session as set by the actual request.

Kudos to James for pointing it out and shame on me for skimming past it and not seeing how it applied to my problem. Thanks too to the Firefox Live HTTP Headers extension for showing the additional request.

Don't waste days or even hours on this if your session cookies are not being sent or if the session data isn't what you expect it to be. At a minimum, eliminate this case and see if any additional requests could be at fault.

Be warned that depending on end of script to close the session will effectively serialize concurrent session requests. Concurrent background "data retrieval" (e.g. applications such as AJAX or amfphp/Flex) expecting to retrieve data in parallel can fall into this trap easily.

Holding the session_write_close until after an expensive operation is likewise problematic.

To minimize effects, call session_write_close (aka session_commit) as early as practical (e.g. without introducing race conditions) or otherwise avoid the serialization bottleneck.

It's important to note that Firefox (for one) makes two calls to the server automatically. One for the page, and one for favicon.ico.

If you are setting session variables (as I was) to certain values when a page exists, and other values when pages don't exist, the values for non-existent pages will overwrite the values for existing pages if favicon.ico doesn't exist.

I doubt many of you are doing this, but if you are, this is a consideration you need to address or you'll be bald over the course of a three day period!

I use name-based virtual hosting on Linux with Apache and PHP 4.3.2.
Every time when I refreshed (by pressing F5 in Internet Explorer) I noticed that I got a new session_id. Simultaneously browsing the same site with Netscape didn't give me that problem. First I thought this was some PHP issue (before I tested it with Netscape), but after searching a lot on the internet I found the problem.
Since I was using name based virtual hosting for my testserver and we have different webshops for different customers I used the syntax webshop_customername.servername.nl as the domain-name.
The _ in the domain name seemed to be the problem. Internet Explorer just denies setting the cookie on the client when there is a special character (like an _ ) in the domain name. For more information regarding this issue: http://support.microsoft.com/default.aspx?scid=kb;EN-US;316112Stupidly enough, this information was related to asp (yuk :o)